Re: Patch to include PAM support...

On Tue, 12 Jun 2001, Bruce Momjian wrote:

> > Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > > I know there was concerns about blocking but is that problem any more so
> > > than other interfaces we already support?
> >
> > We don't need to make it worse.  We've already had trouble reports about
> > postmaster hangups with broken IDENT servers; PAM will hugely expand the
> > scope of potential troubles.  Can you say "denial of service"?
>
> Does it really?  You are saying PAM can make "denial of service" attacks
> even easier than ident?

If anything, then "possibly as easy as ident" - but that's a worst case
scenario. And the reason for that is because they both potentially use
outside server/services. PAM doesn't _have_ to authenticate into external
devices, the LDAP example is just an example from my/our situation. You
could use PAM to authenticate into the local system password file, and/or
use it to create user limits (Only 3 connections per user, as example..)

> If it is the same risk, I think it is OK, but if it is worse, I see your
> point.  (I don't know much about PAM except it allows authentication.)

My apologies if PAM has somehow been equated to "remote server
authentication piece" - there is a lot more to PAM than the abillity to
easily do remote authentication.

http://www.kernel.org/pub/linux/libs/pam/whatispam.html
http://www.kernel.org/pub/linux/libs/pam/FAQ


--
Dominic J. Eidson
                                        "Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/              http://www.the-infinite.org/~dominic/